docs: filter groups

Author: ekristen

docs/cli-experimental.md

@@ -20,6 +20,8 @@ aws-nuke run --feature-flag "wait-on-dependencies"
 
 ## Available Feature Flags
 
+- `filter-groups` - This feature flag will cause aws-nuke to filter based on a grouping method which allows for AND'ing
+  filters together.
 - `wait-on-dependencies` - This feature flag will cause aws-nuke to wait for all resource type dependencies to be 
   deleted before deleting the next resource type.
 
@@ -32,4 +34,21 @@ an attached policy.
 The problem is that if you delete the IAM Role first, it will fail because it has a dependency on the policy.
 
 This feature flag will cause aws-nuke to wait for all resources of a given type to be deleted before deleting the next
-resource type. This will reduce the number of errors and unnecessary API calls.
+resource type. This will reduce the number of errors and unnecessary API calls.
+
+### filter-groups
+
+This feature flag will cause aws-nuke to filter resources based on a group method. This is useful when filters need
+to be AND'd together. For example, if you want to delete all resources that are tagged with `env:dev` and `namespace:test`
+you can use the following filter group:
+
+```yaml
+filters:
+  ResourceType:
+    - property: tag:env
+      value: dev
+      group: group1
+    - property: tag:namespace
+      value: test
+      group: group2
+```

docs/config-filtering.md

@@ -21,6 +21,33 @@ against some resources and not others.
 Global works by taking all filters defined under `__global__` and prepends to any filters found for a resource type. If
 a resource does NOT have any filters defined, the `__global__` ones will still be used.
 
+## Filter Groups
+
+!!! important
+    Filter groups are an experimental feature and are disabled by default. To enable filter groups, use the
+    `--feature-flag filter-groups` flag.
+
+Filter groups are used to group filters together. This is useful when filters need to be AND'd together. For example,
+if you want to delete all resources that are tagged with `env:dev` and `namespace:test` you can use the following filter
+group:
+
+```yaml
+filters:
+  ResourceType:
+    - property: tag:env
+      value: dev
+      group: group1
+    - property: tag:namespace
+      value: test
+      group: group2
+```
+
+In this example, the `group1` and `group2` filters are AND'd together. This means that a resource must match both filters
+to be excluded from deletion.
+
+Only a single filter in a group is required to match. This means that if a resource matches any filter in a group it will
+count as a match for the group.
+
 ### Example
 
 In this example, we are ignoring all resources that have the tag `aws-nuke` set to `ignore`. Additionally filtering

docs/features/filter-groups.md

@@ -0,0 +1,11 @@
+# Filter Groups
+
+!!! important
+    This feature is experimental and is disabled by default. To enable it, use the `--feature-flag "filter-groups"` CLI argument.
+
+Filter groups allow you to filter resources based on a grouping method which allows for AND'ing filters together. By
+default, all filters belong to the same group, but you can specify a group name to group filters together. 
+
+All filters within a group are OR'd together, and all groups are AND'd together. 
+
+[Full Documentation](../config-filtering.md#filter-groups)

mkdocs.yml

@@ -77,6 +77,7 @@ nav:
       - Overview: features/overview.md
       - Bypass Alias Check: features/bypass-alias-check.md
       - Global Filters: features/global-filters.md
+      - Filter Groups: features/filter-groups.md
       - Enabled Regions: features/enabled-regions.md
       - Signed Binaries: features/signed-binaries.md
   - CLI: